NIST refreshes software program provide chain danger administration steerage

Fenika Bench

Adam Bannister

11 Might 2022 at 10:56 UTC

Up to date: 11 Might 2022 at 11:25 UTC

‘A complete software that may take you from crawl to stroll to run’

ffff

Infosec specialists have welcomed the US Nationwide Institute of Requirements and Expertise’s (NIST’s) overhaul of its cybersecurity provide chain danger administration steerage (C-SCRM).

Developed in response to an govt order signed by President Biden in Might 2021, the revised C-SCRM doc supplies recommendation on figuring out, assessing, and addressing cybersecurity dangers all through the provision chain.

The publication – ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’ (PDF) – urges acquirers and finish customers of {hardware}, software program, and digital companies to undertake due diligence on the origin and safety of a digital product’s elements.

“In case your company or group hasn’t began on [C-SCRM], it is a complete software that may take you from crawl to stroll to run, and it could possibly enable you to accomplish that instantly,” mentioned NIST’s Jon Boyens, co-author of the publication, in a press release.

‘Foundational best practices’

Attackers are increasingly targeting digital supply chains because they can compromise multiple devices, applications or organizations by poisoning or exploiting weaknesses in widely used components, with the 2020 SolarWinds attack the most devastating example to date.

Ilkka Turunen, field CTO at software supply chain security specialist Sonatype, told The Daily Swig: “As next-gen supply chain attacks increase, the C-SCRM guidance formalizes many known practices across organizations large and small.

“It describes foundational best practices – like generating SBOMs [software bill of materials] – and the sustaining activities needed to maintain effective supply chain security practices.

He continued: “This compendium of knowledge imparts how to defend against future log4Shell issues and other next-gen threats. It’s time for organizations to invest into automating these processes.”

RELATED NIST revamps aging enterprise patch management guidance

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, said the document covers much more than the value of SBOM for open source components.

“Software enters an organisation from multiple origin points, including open source and API usage,” he told The Daily Swig.

“Operators of software, whether the software is purely open source in nature or the result of proprietary development, effectively accept the business risks associated with the use of that software.

“Mitigation of software risks start with an understanding of how managed and unmanaged software usage with an organisation occurs, and progressively mitigating those risks – not just at the vendor level, but continuously with each new software version and change.”

Persistent issues

Cequence Security, an API security specialist, recently sounded the alarm on the ongoing persistence of the critical Log4Shell vulnerability, which was discovered six months ago in the near-ubiquitous logging utility Apache Log4j.

Catch up with the latest software supply chain attack news

The issue, which the firm dubbed ‘LoNg4j’, “illustrates how interconnected fashionable enterprise IT infrastructure is and the way this digital provide chain extends far past the identified functions”, mentioned Jason Kent, Hacker in Residence at Cequence Safety.

The revamped NIST steerage is presently obtainable solely as a PDF doc, however the authors mentioned they intend to additionally publish a extra user-friendly, clickable net model and a quick-start information geared toward organizations which are new to C-SCRM.

RECOMMENDED Zero-day bug in uClibc library might depart IoT gadgets susceptible to DNS poisoning assaults

Next Post

Superior Digital Media Providers Supply Assured website positioning Outcomes

Superior Digital Media Providers is a US-based full-service digital media advertising and marketing firm specializing in search engine marketing, providing assured website positioning outcomes to its shoppers at extremely approachable charges. Advanced Digital Media Services was based in 2009 as Superior CMS Providers Inc. The corporate was rebranded as Superior […]